Site Meter

Category: Privacy (Law Enforcement)

0

Heads Up 3D Printing and more: The Georgetown Law Journal Volume 102 Symposium: “Law in an Age of Disruptive Technology”

Folks,

As you know Gerard and I have been working up our paper Patents, Meet Napster: 3D Printing and the Digitization of Things . It will be part of The Georgetown Law Journal Volume 102 Symposium: “Law in an Age of Disruptive Technology” which will take place on Friday November 8, 2013. There will be panels about driverless cars and mass surveillance as well. We hope to see many of you there. (RSVP at this link).

It is a great honor to be part of this lineup:

Keynote Address by Professor Neal Katyal

3-D Printing
Chaired by Professors Deven Desai and Gerard Magliocca

Driverless Cars & Tort Liability
Chaired by Professor Bryant Walker Smith

Mass Surveillance Technology
Chaired by Professor Christopher Slobogin

1

Justice Sutherland on Wiretapping

As part of my ongoing research on George Sutherland, I came across an interesting passage in his dissent from United States v. Nardone.  Nardone was a 1936 case holding that the Communication Act of 1934, which prohibited employees from intercepting electronic communications, applied to wiretaps used by the FBI and other federal agents.  (This was a decision, BTW, that J. Edgar Hoover and Franklin Roosevelt largely ignored.)  Sutherland argued (for himself and McReynolds) that Congress did not intend to include criminal investigations in this statute, and concluded with this purple passage:

“My abhorrence of the odious practices of the town gossip, the peeping Tom, and the private eavesdropper is quite as strong as that of any of my brethren. But to put the sworn officers of the law, engaged in the detection and apprehension of organized gangs of criminals, in the same category, is to lose all sense of proportion. In view of the safeguards against abuse of power furnished by the order of the Attorney General, and in the light of the deadly conflict constantly being waged between the forces of law and order and the desperate criminals who infest the land, we well may pause to consider whether the application of the rule which forbids an invasion of the privacy of telephone communications is not being carried in the present case to a point where the necessity of public protection against crime is being submerged by an overflow of sentimentality.”

NSA Penalty Proposed

Readers suggested potential penalties for improper gathering or misuse of surveillance data last month.  As revelations continue, Congressmen have recently proposed some new ideas:

Rep. Mike Fitzpatrick (R-Pa.) proposed legislation . . .  that would cut National Security Agency (NSA) funding if it violates new surveillance rules aimed at preventing broad data collection on millions of people.

Fitzpatrick has also offered language to restrict the term “relevant” when it comes to data collection.  On the one hand, it seems odd for Congress to micromanage a spy agency.  On the other hand, no one has adequately explained how present safeguards keep the integrated Information Sharing Environment from engaging in the harms catalogued here and here. So we’re likely to see many blunt efforts to cut off its ability to collect and analyze data, even if data misuse is really the core problem.

Focusing on the Core Harms of Surveillance

CoreHarmsThe “summer of NSA revelations” rolls along, with a blockbuster finale today. In June, Jennifer Granick and Christopher Sprigman flatly declared the NSA criminal. Now the agency’s own internal documents (leaked by Snowden) appear to confirm thousands of legal violations.

Legal scholars will not be surprised by the day’s revelations, just as few surveillance experts were all that shocked by the breadth and depth of PRISM, PINWALE, MARINA, and other programs. Ray Ku called warrantless surveillance unconstitutional in 2010. Civil liberties groups and legal scholars warned us repeatedly about where Bush-era executive power theories would lead. As anyone familiar with Bruce Ackerman’s work might guess, pliable attorneys have rubber-stamped the telephony metadata program with a “white paper” that “fails to confront counterarguments and address contrary caselaw” and “cites cases that [are] relatively weak authority for its position.” There are no meaningful penalties in sight (perhaps because the OLC has prepared documents that function as a “get out of jail free” card for those involved).
Read More

5

Letting the Air Out

The NSA and the rest of our surveillance state apparatus is shrouded in secrecy. As captured in Frank Pasquale’s superb forthcoming book, governmental surveillance is a black box. Gag orders prevent Internet companies from talking about their participation in PRISM; nearly everything revealing is classified; the Executive Branch is telling us half truths or no truths. To counter massive governmental overreach, Bradley Manning, Edward Snowden, and others have exposed some sunlight on our surveillance state. That sunlight isn’t coming from those who are betraying the country, but those who are trying to save it, at least that’s what many registered voters think. According to a Quinnipiac poll released today, American voters say “55 – 34 percent” that NSA consultant Edward Snowden is a “whistleblower rather than a traitor.” According to the assistant director of the Quinnipiac University Polling Institute, “Most American voters think positively of Edward Snowden,” at least they did before he accepted asylum in Russia. From July 28 to July 31, 1,468 registered voters were surveyed on the phone. These sorts of leaks seem inevitable, at least culturally given our so-called commitment to openness and transparency. The leakers/whistleblowers are trying to nudge the Executive Branch to honor its commitments to the Fourth Amendment, the sentiments of the Church Report, and the Administration’s 2009 Openness and Transparency memo. Let’s see if letting the air out moves us closer to the kind of country we say we are.

H/T: Yale ISP’s Christina Spiesel for the Quinnipiac Poll

2

Predictive Policing and Technological Due Process

Police departments have been increasingly crunching data to identify criminal hot spots and to allocate policing resources to address them. Predictive policing has been around for a while without raising too many alarms. Given the daily proof that we live in a surveillance state, such policing seems downright quaint. Putting more police on the beat to address likely crime is smart. In such cases, software is not making predictive adjudications about particular individuals. Might someday governmental systems assign us risk ratings, predicting whether we are likely to commit crime? We certainly live in a scoring society. The private sector is madly scoring us. Individuals are denied the ability to open up bank accounts; they are identified as strong potential hires (or not); they are deemed “waste” not worthy of special advertising deals; and so on. Private actors don’t owe us any process, at least as far as the Constitution is concerned. On the other hand, if governmental systems make decisions about our property (perhaps licenses denied due to a poor scoring risk), liberty (watch list designations leading to liberty intrusions), and life (who knows with drones in the picture), due process concerns would be implicated.

What about systems aimed at predicting high-crime locations, not particular people? Do those systems raise the sorts of concerns I’ve discussed as Technological Due Process? A recent NPR story asked whether algorithmic predictions about high-risk locations can form the basis of a stop and frisk. If someone is in a hot zone, can that very fact amount to reasonable suspicion to stop someone in that zone? During the NPR segment, law professor Andrew Guthrie Ferguson talked about the possibility that the computer’s prediction about the location may inform an officer’s thinking. An officer might credit the computer’s prediction and view everyone in a particular zone a different way. Concerns about automation bias are real. Humans defer to systems: surely a computer’s judgment is more trustworthy given its neutrality and expertise? Fallible human beings, however, build the algorithms, investing them with bias, and the systems may be filled with incomplete and erroneous information. Given the reality of automated bias, police departments would be wise to train officers about automation bias, which has proven effective in other contexts. In the longer term, making pre-commitments to training would help avoid unconstitutional stops and wasted resources. The constitutional question of the reasonableness of the stop and frisk would of course be addressed on a retail level, but it would be worth providing wholesale protections to avoid wasting police time on unwarranted stops and arrests.

H/T: Thanks to guest blogger Ryan Calo for drawing my attention to the NPR story.

0

Prism and Its Relationship to Clouds, Security, Jurisdiction, and Privacy

In January I wrote a piece, “Beyond Data Location: Data Security in the 21st Century,” for Communications of the ACM. I went into the current facts about data security (basic point: data moving often helps security) and how they clash with jurisdiction needs and interests. As part of that essay I wrote:

A key hurdle is identifying when any government may demand data. Transparent policies and possibly treaties could help better identify and govern under what circumstances a country may demand data from another. Countries might work with local industry to create data security and data breach laws with real teeth as a way to signal that poor data security has consequences. Countries should also provide more room for companies to challenge requests and reveal them so the global market has a better sense of what is being sought, which countries respect data protection laws, and which do not. Such changes would allow companies to compete based not only on their security systems but their willingness to defend customer interests. In return companies and computer scientists will likely have to design systems with an eye toward the ability to respond to government requests when those requests are proper. Such solutions may involve ways to tag data as coming from a citizen of a particular country. Here, issues of privacy and freedom arise, because the more one can tag and trace data, the more one can use it for surveillance. This possibility shows why increased transparency is needed, for at the very least it would allow citizens to object to pacts between governments and companies that tread on individual rights.

Prism shows just how much a new balance is needed. There are many areas to sort to reach that balance. They are too many to explore in blog post. But as I argued in the essay, I think that pulling in engineers (not just industry ones), law enforcement, civil society groups, and oh yes, lawyers to look at what can be done to address the current imbalance is the way to proceed.

0

Harvard Law Review Privacy Symposium Issue

The privacy symposium issue of the Harvard Law Review is hot off the presses.  Here are the articles:

SYMPOSIUM
PRIVACY AND TECHNOLOGY
Introduction: Privacy Self-Management and the Consent Dilemmas
Daniel J. Solove

What Privacy is For
Julie E. Cohen

The Dangers of Surveillance
Neil M. Richards

The EU-U.S. Privacy Collision: A Turn to Institutions and Procedures
Paul M. Schwartz

Toward a Positive Theory of Privacy Law
Lior Jacob Strahilevitz

3

Overturning the Third-Party Doctrine by Statute: Hard and Harder

Privacy advocates have disliked the third-party doctrine at least from the day in 1976 when the Supreme Court decided U.S. v. Miller.  Anyone who remembers the Privacy Protection Study Commission knows that its report was heavily influenced by Miller.  My first task in my long stint as a congressional staffer was to organize a hearing to receive the report of the Commission in 1977.  In the introduction to the report, the Commission called the date of the decision “a fateful day for personal privacy.”

Last year, privacy advocates cheered when Justice Sonia Sotomayor’s concurrence in U.S. v. Jones asked if it was time to reconsider the third-party doctrine.  Yet it is likely that it would take a long time before the Supreme Court revisits and overturns the third-party doctrine, if ever.  Sotomayor’s opinion didn’t attract a single other Justice.

Can we draft a statute to overturn the third-party doctrine?  That is not an easy task, and it may be an unattainable goal politically.  Nevertheless, the discussion has to start somewhere.  I acknowledge that not everyone wants to overturn Miller.  See Orin Kerr’s The Case For the Third-party Doctrine.  I’m certainly not the first person to ask the how-to-do-it question.  Dan Solove wrestled with the problem in Digital Dossiers and the Dissipation of Fourth Amendment Privacy.

I’m going at the problem as if I were still a congressional staffer tasked with drafting a bill.  I see right away that there is precedent.  Somewhat remarkably, Congress partly overturned the Miller decision in 1978 when it enacted The Right to Financial Privacy Act, 12 U.S.C. § 3401 et seq.  The RFPA says that if the federal government wants to obtain records of a bank customer, it must notify the customer and allow the customer to challenge the request.

The RFPA is remarkable too for its exemptions and weak standards.  The law only applies to the federal government and not to state and local governments.  (States may have their own laws applicable to state agencies.)  Bank supervisory agencies are largely exempt.  The IRS is exempt.  Disclosures required by federal law are exempt.  Disclosures for government loan programs are exempt.  Disclosures for grand jury subpoenas are exempt.  That effectively exempts a lot of criminal law enforcement activity.  Disclosures to GAO and the CFPB are exempt.  Disclosures for investigations of crimes against financial institutions by insiders are exempt.  Disclosures to intelligence agencies are exempt.  This long – and incomplete – list is the first hint that overturning the third-party doctrine won’t be easy.

We’re not done with the weaknesses in the RFPA.  A customer who receives notice of a government request has ten days to challenge the request in federal court.  The customer must argue that the records sought are not relevant to the legitimate law enforcement inquiry identified by the government in the notice.  The customer loses if there is a demonstrable reason to believe that the law enforcement is legitimate and a reasonable belief that the records sought are relevant to that inquiry.  Relevance and legitimacy are weak standards, to say the least.  Good luck winning your case.

Who should get the protection of our bill?  The RFPA gives rights to “customers” of a financial institution.  A customer is an individual or partnership of five or fewer individuals (how would anyone know?).  If legal persons also receive protection, a bill might actually attract corporate support, along with major opposition from every regulatory agency in town.  It will be hard enough to pass a bill limited to individuals.  The great advantage of playing staffer is that you can apply political criteria to solve knotty policy problems.  I’d be inclined to stick to individuals.

Read More

1

“Brain Spyware”

As if we don’t have enough to worry about, now there’s spyware for your brain.  Or, there could be.  Researchers at Oxford, Geneva, and Berkeley have created a proof of concept for using commercially available brain-computer interfaces to discover private facts about today’s gamers. Read More